Author: rareddy
Date: 2011-10-07 11:25:46 -0400 (Fri, 07 Oct 2011)
New Revision: 3543
Modified:
branches/7.4.x/build/kits/jboss-container/deploy/teiid/teiid-jboss-beans.xml
branches/7.4.x/documentation/admin-guide/src/main/docbook/en-US/content/security.xml
branches/7.4.x/runtime/src/main/java/org/teiid/transport/SSLConfiguration.java
branches/7.4.x/runtime/src/test/java/org/teiid/transport/TestCommSockets.java
Log:
SOA-3448: allowing the ability to configure cipher suites for selecting encryption
strength. Also has documentation for the LDAP configuration.
Modified: branches/7.4.x/build/kits/jboss-container/deploy/teiid/teiid-jboss-beans.xml
===================================================================
---
branches/7.4.x/build/kits/jboss-container/deploy/teiid/teiid-jboss-beans.xml 2011-10-07
14:49:25 UTC (rev 3542)
+++
branches/7.4.x/build/kits/jboss-container/deploy/teiid/teiid-jboss-beans.xml 2011-10-07
15:25:46 UTC (rev 3543)
@@ -221,6 +221,9 @@
<property name="truststorePassword">passwd</property>
<!-- 1-way, 2-way, anonymous -->
<property name="authenticationMode">anonymous</property>
+ <!-- uncomment for enforcing the minimum 128 bit encryption, edit or supply
only supported cipher suites from JVM
+ <property
name="enabledCipherSuites">SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_KRB5_WITH_RC4_128_MD5,TLS_KRB5_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_KRB5_WITH_3DES_EDE_CBC_MD5,TLS_KRB5_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA</property>
+ -->
</bean>
<!-- JDBC Socket connection properties (SSL see below) -->
Modified:
branches/7.4.x/documentation/admin-guide/src/main/docbook/en-US/content/security.xml
===================================================================
---
branches/7.4.x/documentation/admin-guide/src/main/docbook/en-US/content/security.xml 2011-10-07
14:49:25 UTC (rev 3542)
+++
branches/7.4.x/documentation/admin-guide/src/main/docbook/en-US/content/security.xml 2011-10-07
15:25:46 UTC (rev 3543)
@@ -84,23 +84,106 @@
The default name of JDBC connection's security-domain is
"teiid-security". The default name for Admin connection
is "jmx-console". For the Admin connection's security
domain, the user is allowed
to change which LoginModule that "jmx-console" pointing to,
however should not change the name of the domain, as this name is
- shared between the "admin-console" application.</para>
+ shared between the "admin-console" application. In existing
installations an appropriate security
+ domain may already be configured for use by administrative clients
(typically "jmx-console").
+ In this case it may be perfectly valid to reuse this existing security domain
instead of
+ creating a new teiid-security security domain.</para>
</note>
<section>
<title>Built-in LoginModules</title>
- <para>JBossAS provides several LoginModules for common authentication needs,
such as authenticating from text files or LDAP.</para>
- <para>The UsersRolesLoginModule, which utilizes simple text files
- to authenticate users and to define
- their groups. The teiid-jboss-beans.xml configuration file contains an example of
how to use UsersRolesLoginModule.
- Note that this is typically not for production use and is strongly recommended that
you replace this login module. Please
- also note that, you can install multiple login modules as part of single
security domain configuration and configure them
- to part of login process. For example, for "teiid-security"
domain, you can configure a file based and also LDAP based login modules,
- and have your user authenticated with either both or single login module.
+ <para>JBossAS provides several LoginModules for common authentication needs,
such as authenticating from a
+ <xref linkend="text-login"/> or a <xref
linkend="ldap-login"/>.</para>
+ <para>You can install multiple login modules as part of single security
domain configuration and configure them
+ to part of login process. For example, for "teiid-security"
domain, you can configure a file based
+ and also LDAP based login modules,
+ and have your user authenticated with either or both login modules. If
you want to write your own
+ custom login module, check out the Developer's Guide for
instructions.
</para>
- <para>See <ulink
url="http://community.jboss.org/docs/DOC-11253">LDAP LoginModule
configuration</ulink> for utilizing LDAP based authentication.
- If you want write your own Custom Login module, check out the Developer's
Guide for instructions.
- </para>
+
+ <section id="text-login">
+ <title>Text Based LoginModule</title>
+ <para>
+ The UsersRolesLoginModule utilizes simple text files to authenticate
users and to define their groups.
+ The teiid-jboss-beans.xml configuration file contains an example of
how to use UsersRolesLoginModule.
+ <note>
+ <para>The UsersRolesLoginModule is not recommended for
production use and is strongly recommended that you replace this login
module.</para>
+ </note>
+ </para>
+ <para>User
+ names and passwords are stored in the
<profile>conf/props/teiid-security-users.properties file.
+ <example>
+ <title>Example user.properties file</title>
+ <programlisting><![CDATA[# A users.properties file for
use with the UsersRolesLoginModule
+ # username=password
+
+ fred=password
+ george=password
+ ...]]></programlisting>
+ </example>
+
+ JAAS role assignments are stored in the
<profile>conf/props/teiid-security-roles.properties file.
+ <example>
+ <title>Example user.properties file</title>
+ <programlisting><![CDATA[# A roles.properties file for
use with the UsersRolesLoginModule
+ # username=role1,role2,...
+
+ data_role_1=fred,sally
+ data_role_2=george
+ ]]></programlisting>
+ </example>
+
+ User and role names are entirely up to the needs of the given
deployment. For example each application team can set their own security constraints for
their VDBs, by mapping their VDB data roles to application specific JAAS roles, e.g.
app_role_1=user1,user2,user3.
+ <note>
+ <para>Teiid data roles names are independent of JAAS roles.
VDB creators can choose whatever name they want for their data roles, which are then
mapped at deployment time to JAAS roles.</para>
+ </note>
+ </para>
+ </section>
+ <section id="ldap-login">
+ <title>LDAP Based LoginModule</title>
+ <para>
+ See
+ <ulink
url="http://community.jboss.org/docs/DOC-11253">LDAP LoginModule
configuration</ulink>
+ for the AS community guide. The following are streamlined
installation instruction.
+ <orderedlist>
+ <listitem>
+ <para>If using SSL to the LDAP server, ensure that the
Corporate CA Certificate is added to the JRE trust store.</para>
+ </listitem>
+
+ <listitem>
+ <para>Include LDAP LoginModule in the JAAS
Configuration</para>
+ <para>Configure
+ LDAP authentication by editing
<profile>conf/login-config.xml. If you wish to configure specifically for
teiid, then the security domain teiid-security will need to be created/altered.
+ In new installations the more likely option is that you
want to configure LDAP based authentication for the AS itself by modifying the
"jmx-console" security domain.
+ You could do one of the following for Teiid:
+ <itemizedlist>
+ <listitem>
+ <para>Reuse the jmx-console (or whatever
name you choose) security domain for Teiid by changing the teiid configuration in
<profile>/deploy/teiid/teiid-jboss-beans.xml
+ to point to jmx-console, rather than
teiid-security.
+ </para>
+ </listitem>
+ <listitem>
+ <para>Follow the same steps to configure an
LDAP security domain named teiid-security.
+ </para>
+ </listitem>
+ <listitem>
+ <para>Leave Teiid to use the default file
based LoginModule secuirty domain or create an entirely custom security domain
configuration.
+ </para>
+ </listitem>
+ </itemizedlist>
+ </para>
+ </listitem>
+ <listitem>
+ <para>Obscure the LDAP Password</para>
+ <para>
+ Finally, protect the password following
+ <ulink
url="http://docs.redhat.com/docs/en-US/JBoss_Enterprise_Application_...
instructions.</ulink>
+ Note that the salt must be 8 chars andd see also
http://community.jboss.org/message/137756#137756 for more on securing passwords.
+ </para>
+ </listitem>
+ </orderedlist>
+ </para>
+ </section>
</section>
<section>
@@ -250,6 +333,8 @@
<property name="truststorePassword">passwd</property>
<!-- 1-way, 2-way, anonymous -->
<property name="authenticationMode">1-way</property>
+ <!-- an optional property to constrain the cipher suites to be negotiated between
server and client -->
+ <property
name="enabledCipherSuites">SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA</property>
</bean>]]></programlisting>
</example>
<itemizedlist>
@@ -270,6 +355,7 @@
public key for the client. Depending upon how you created the keystore and
truststores,
this may be same file as defined under "keystoreFilename"
property.</para></listitem>
<listitem><para>truststorePassword - password for the truststore.
</para></listitem>
+ <listitem><para>enabledCipherSuites - A comma separated list of
cipher suites allowed for encryption between server and client. The values must be valid
supported cipher suites otherwise SSL connections will
fail.</para></listitem>
</itemizedlist>
<section id="ssl_auth">
<title>SSL Authentication Modes</title>
@@ -291,8 +377,9 @@
</section>
<section id="encryption_strength">
<title>Encryption Strength</title>
- <para>Both anonymous SSL and login only encryption are configured to use
128 bit AES encryption.
- 1-way and 2-way SSL allow for cipher suite negotiation based upon the default
cipher suites supported by the respective Java platforms of the client and server.
+ <para>Both anonymous SSL and login only encryption are configured to use
128 bit AES encryption by default. By default,
+ 1-way and 2-way SSL allow for cipher suite negotiation based upon the default
cipher suites supported by the respective Java platforms of the client and server.
+ User can restrict the cipher suites used for encryption by specifying the
<emphasis>enabledCipherSuites</emphasis> property above in ssl configuration.
</para>
</section>
</section>
Modified: branches/7.4.x/runtime/src/main/java/org/teiid/transport/SSLConfiguration.java
===================================================================
---
branches/7.4.x/runtime/src/main/java/org/teiid/transport/SSLConfiguration.java 2011-10-07
14:49:25 UTC (rev 3542)
+++
branches/7.4.x/runtime/src/main/java/org/teiid/transport/SSLConfiguration.java 2011-10-07
15:25:46 UTC (rev 3543)
@@ -59,8 +59,10 @@
private String trustStoreFileName;
private String trustStorePassword = ""; //$NON-NLS-1$
private String authenticationMode = ONEWAY;
+ private String[] enabledCipherSuites;
- public SSLEngine getServerSSLEngine() throws IOException, GeneralSecurityException {
+
+ public SSLEngine getServerSSLEngine() throws IOException, GeneralSecurityException {
if (!isSslEnabled()) {
return null;
}
@@ -86,10 +88,13 @@
if
(!(Arrays.asList(result.getSupportedCipherSuites()).contains(SocketUtil.ANON_CIPHER_SUITE)))
{
throw new
GeneralSecurityException(RuntimePlugin.Util.getString("SSLConfiguration.no_anonymous"));
//$NON-NLS-1$
}
- result.setEnabledCipherSuites(new String[] {
- SocketUtil.ANON_CIPHER_SUITE
- });
- }
+ result.setEnabledCipherSuites(new String[] {SocketUtil.ANON_CIPHER_SUITE});
+ } else {
+ if (this.enabledCipherSuites != null) {
+ result.setEnabledCipherSuites(this.enabledCipherSuites);
+ }
+ }
+
result.setNeedClientAuth(TWOWAY.equals(authenticationMode));
return result;
}
@@ -142,4 +147,11 @@
this.authenticationMode = value;
}
+ public void setEnabledCipherSuites(String enabledCipherSuites) {
+ this.enabledCipherSuites = enabledCipherSuites.split(","); //$NON-NLS-1$
+ }
+
+ public String[] getEnabledCipherSuites() {
+ return enabledCipherSuites;
+ }
}
Modified: branches/7.4.x/runtime/src/test/java/org/teiid/transport/TestCommSockets.java
===================================================================
---
branches/7.4.x/runtime/src/test/java/org/teiid/transport/TestCommSockets.java 2011-10-07
14:49:25 UTC (rev 3542)
+++
branches/7.4.x/runtime/src/test/java/org/teiid/transport/TestCommSockets.java 2011-10-07
15:25:46 UTC (rev 3543)
@@ -217,6 +217,7 @@
@Test public void testAnonSSLConnect() throws Exception {
SSLConfiguration config = new SSLConfiguration();
config.setMode(SSLConfiguration.ENABLED);
+ config.setEnabledCipherSuites("x"); //ensure that this cipher suite is not
used
config.setAuthenticationMode(SSLConfiguration.ANONYMOUS);
Properties p = new Properties();
p.setProperty("org.teiid.sockets.soTimeout", "100");
@@ -255,4 +256,10 @@
conn.close();
}
+ @Test public void testEnableCipherSuites() throws Exception {
+ SSLConfiguration config = new SSLConfiguration();
+ config.setEnabledCipherSuites("x,y,z");
+ assertArrayEquals(new String[] {"x","y","z"},
config.getEnabledCipherSuites());
+ }
+
}